Live hacking of embedded medical devices | Medical devices’ security

Medical devices’ security

Digitalization has already entered into the medical field and serving patients in their health care. Many medical devices are programmed to allow doctors easy access in case reprogramming is necessary for an emergency, so medical devices’ security has never been the top priority for designers. So, this will serve as a chance for a hacker.

How is it done?

Implantable Medical Devices (IMD) like insulin pumps and pacemakers/defibrillators are consigned with vital tasks in terms of medical care, measuring and gathering data on the vital signs and passing it on to doctors and nurses, delivering insulin/painkillers at proper rates and direct stimulation of an organ’s critical function, as in the case of pacemakers. IMDs are like microcomputers that not only have the hardware but also have a developed software core at their disposal that “A pacemaker may depend on more than 80,000 lines of source code to keep it going, and a magnetic-resonance imaging (MRI) scanner more than 7m lines”.

However, there are many ways of risks faced by the medical experts as well as patients from these hackers. The latest hackers are trying somewhat new from the previous hacking experiences. First, the hacker fishes a busiest medical system or IMD and targets on it. After sufficient time, he used to track the entire data in it and keeps it under his control. At a particular time, he blocks the data in it and demands money to release it. This is the way the hackers are making money from health care organizations and even patients.

Is it a real threat or just a fantasy?

Anyone who watched season 2 of the TV show Homeland saw the fictional vice president William Walden killed after his pacemaker was hacked and heart shocked. But did you know the former VP Dick Cheney had the wireless signal in his pacemaker disabled for the panic of hackers before the Homeland episode was even displayed? This incident seems to be a fantasy. But it is not. Contemporary health care relies heavily on medical devices to help patients lead normal and healthy lives.

There are security problems extending from cyber exploitation to common bugs in the software. These days, hackers are finding new ways and are majorly targeting the Implantable Medical Devices that too pacemakers, defibrillators and insulin pumps in particular. After facing the incident of WANNACRY, we can’t say it as fantasy. It is a real threat to the health care organizations and even patients too.

What are the dangers?

Today, most of the medical devices are becoming wireless, and many people are already using them. They serve patients and doctors in such a way that to specify the time of insulin doses, monitoring glucose levels, a frequency of heart shocks and even making updates or modifications without requiring surgery. A medical device affected with malware can stray from its expected behavior. For instance, malware can cause a device to slow down and miss critical interruption.

When this happens in high-risk situations, then medical professionals can no longer trust the integrity of the sensor readings and depend on the backup method.

This leads us to step into the same old model where recordings of values are done in a lab and which takes a long time procedure. This may be a danger to the fast moving world where time plays a vital role in every human’s life and who have already depended on these wireless medical technologies. Another significant danger is it may lead to the death of a person who has implanted a device pacemaker, and people may lose trust in the modern health care techniques. This may result in a significant loss for health care institutions and as well as governments.

How to ensure medical devices’ security?

The malware spreads through malicious links and emails to which the patients have connected their devices to specify their condition to their doctors and making the doctors monitor daily towards them. They can also obtain suggestions through emails only. So, if we try not to open the unknown emails and also links from them, the problem can somewhat be avoided. By installing a total security antivirus and updating it daily can make us protected.

Another risk is that people do not feel that passwords are not time-efficient in the event of an emergency. For example, if the person with the device is unconscious. These benefits someone with bad intentions subverting the connectivity embedded in these life-sustaining gadgets. So, please don’t reveal your passwords with or in front of any unknown persons. These are all just the safety measures and to completely avoid this cyber threat, governments must take action to such people by tracing them.

Initiatives and research

The US Government Accountability Office has released a report claiming that Implanted Medical Devices such as pacemakers are susceptible to hackers. After this, many people and institutions have researched this. Many ordinary citizens do not apprehend the concept of white hat hacking. They shiver at the thought that someone could remotely utilize an apparatus that sustain essential functions in their body, yet if the person who does it has good intentions to develop the defense system of what is next in the pipeline.

1. Barnaby Jack from McAfee succeeded in taking control of both an insulin pump’s radio control and vibrating alert safety mode. Jack’s hacking kit included a unique piece of software and a custom built antenna that has a scan expanse of 300 feet and for which the worker does not need to know the serial number.

Therefore, the advanced models of Medtronic insulin pumps, provided with small radio transmitters enabling medics to adjust function, can become an easy victim to this hacking invention that scans around for insulin pumps. Once the hacker sets foot on the targeted machine, he can then disable the warning function and make it separate 45 days worth of insulin all at once, a dose that will potentially kill the patient.

2. IBM computer security specialist Jay Radcliffe made a presentation on how an insulin pump can be managed to disperse a lethal amount of insulin. As part of the reconnaissance phase, Radcliffe performed a check-up of the manual for his insulin device. From there he obtained the exact frequency and modulation scheme his apparatus operates on, the frequency of the broadcasts and the size of the packet. Also, the Federal Communication Commission (FCC) ID of the device got also in the manual allowed him to get the patent documents for the instrument, an abundant source of invaluable data on the functionality and configuration of the device.

His verdicts resulted in the purchase of the Arduino module, a wireless peripheral, which employed related frequencies over those of the insulin pump he maintained.

The command codes and message formatting were readily discoverable on Google, although the manufacturer had not exposed this information.

The wireless peripheral device can investigate for insulin pumps in the vicinity of 100 to 200 feet. Once a pump is in sight, adjusting configuration settings would only take seconds. However, the intruder needs to identify first the serial number of the targeted insulin pump, and after that, he would have to have physical access to the device before its wireless hacking.

3. Cooperation between teams of researchers from Rice University and the defence firm RSA has built the heart-to-heart system, an action that may protect IMDs. Based on a heartbeat reading, this new system serves as a biometric authentication to validate that whoever is attempting to download data or reprogram basic features of the devices is a real person entitled to do so, not a remote hacker. For the heart-to-heart system to work, a doctor utilizes a device against the patient’s body, which measures the heartbeat. This measurement of the patient’s pulse is run against the reading sent through a wireless signal coming from the IMD itself.

If the signals are equal, then the handshake is completed, and the medical personnel gains access to the implant. The research scientist at BBN Technologies Shane Clark provides clear evidence that in the circumstances of IMDs, traditional security systems “have the potential to endanger the lives of patients in an emergency situation where authentication fails.”

Scientists contemplate that in the near future, the heartbeat authentication scheme will be implemented in PCs, notebooks, smartphones, tablets, etc. as a contrivance for identification. For now, the fingerprinting is still more accurate, but the heartbeat biometrics is a good alternative or supplement.

4. Another joint venture between Princeton University NJ and Purdue University led to the evolution of a prototype firewall that could safeguard present and also future innovations in the medical manufacturing industry against information threats. It looks for: Physical anomalies unusual characteristics of the wireless signal can indicate the presence of danger. An example of that would signal beyond the specified range or come at different intervals.

5. Shodan, a tool that is used to scan open ports on the Internet is frequently used by security researchers to uncover critical revealed infrastructure that should be better protected”.

According to a Kaspersky researcher in Jason Murdock’s article “Shodan can find out about the software and hardware connected to the internet and if you know, for instance, what feedback an MRI or laser or cardiology device provides when you connect to its port, you can go to Shodan and find numbers of these devices and if you know a vulnerability you can hack all of them”.

6. Students at the University of South Alabama cut into iStan, a simulated human being device. IStan has “internal robotics that mimics human cardiovascular, neurological and respiratory systems.

When iStan bleeds, his heart rate, BP and other clinical symptoms change automatically.” iStan, which is used by USA’s College of Nursing, breaths, suffers from two locations, cries, secretes bodily fluids, speaks, groans, wheezes, gasps, gags, coughs and mumbles” allowing it to respond as a human being fully.

These students hacked into the iStan and were able to launch a brute force attack and denial of service attacks which interfered with the device’s ability to function, which in turn “killed” iStan.

7. Another source considering pacemaker hacking is Tarun Wadhwa on Forbes. Wadhwa explained how pacemakers are exposed: “Implanted devices have been around for decades, but only in the last several years have these devices become virtually accessible. While they allow for doctors to collect valuable data, many of these devices were distributed without any encryption or defensive mechanisms in place.

Unlike a conventional electronic device that can be placed with new firmware, medical devices are embedded within the body and require surgery for “full” updates. One of the greatest constraints to adding additional security features is the insufficient amount of battery power available”. Thankfully though, there has been no written incident of intended harm to another individual (and a minimal amount of incidents of harm to oneself) by compromising medical devices’ security.

There’s only a little bit of hyperbole in the New York Times article. The research is being conducted by the Medical Device Security Center, with researchers from Beth Israel Deaconess Medical Center, Harvard Medical School, the University of Massachusetts-Amherst, and the University of Washington.

Medical hacking is relatively a new topic that entered the public space only recently. Nowadays, most of the medical devices are connected to the Internet, and also there are interconnections within them in the name of the Internet of Things. But the problem is that there are a limited number of security measures taken with it. In a way, their proximity to computing devices reveals them to all security flaws characteristic of mainstream technology. Incidents are inevitable. The best part is that digitalization has entered into the field of healthcare and nadir is that there is a problem with using it.